Folder Redirection / Offline Files / Synchronization manager

[PreviousPoster]

Well let me start of by describing my goals with folder redirection and offline files
1. All users will have there My Documents redirected to a folder with a DFS Namespace based on group membership.
2. All desktops will not have offline files disabled
3. All mobile devices (laptops/tablets) will have offline files enabled

Working with Windows XP SP2 computers.

Interesting enough, the issue/concern I am having is with item #2. I have created two GPOs. The first GPO “My Documents Re-Direction� will be applied to all users. This GPO sets the My Document Redirection settings and also sets the “Do not automatically make redirected folders available offline� setting to enabled. The second GPO “Offline Files� will be applied to OUs that contain mobile devices (laptops/tablets). This GPO has the “Do not automatically make redirected folders available offline� disabled (user Configuration) with loopback enabled.

The two GPOs do everything I expected except on the desktop side. When a users log off a desktop they see the Synchronization Manager. The synchronization manager states it’s syncing the root of the DFS Namespace, shows a status of Succeeded, but there are no files stored in the offline cache.

It appears that even though I have specifically enabled the “Do not automatically make redirected folders available offline�, the synchronization manager gets enabled when Folder Redirection is turned on even though there are no offline files to sync. Does anyone know of a way to set redirected folders VIA GPO(s), to not have the files available offline, and to not have the synchronization manager show up at logoff?

Wait..

Do you WANT Offline Files on desktops..

or

Do you want to PREVENT Offline files on desktops.. ?

Item #2 isn't clear. Please advise.

[PreviousPoster]

I am sorry, that wasn't very clear. #2 should have read:
2. All desktops will not have My Documents available offline

For desktops, I do not want offline files enabled by default for the redirected My Documents folder. I only want offline files enabled by default on the redirected My Documents folder for mobile devices.

Of course the issue I have is that even when I enable the "Do not automatically make redirected folders available offline" the synchronization manager still appears at logoff. The My Documents folder, which has been redirected, is not made available offline. However, even though the redirected My Documents isn't being made available offline, when the computer/user receives the GPO to redirect My Documents, synchronization manager is turned on, which obviously isn't syncing anything because no files are being made available offline, but the synchronization manager is still being displayed at logoff.

What I want to do is prevent the synchronization manager from being displayed on the desktops when I enable My Documents folder redirection. In addition, I don't want to break the synchronization manager for anyone who may have previously manually set some files offline and depend on synchronization manager running.

So to sum up what I want on desktop computers:
1. Redirect my documents to a network location
2. Do not make the my documents available offline
3. If synchronization manager was not previously enabled, do not enable it / do not show the synchronization manager during user logoff.
4. If synchronization manager was previously being used to make other files available offline, do not disable it.

I am still testing so none of this has been implemented yet except in my test lab.

Thanks,
Eric

There are two answers.

One is a WMI filter. I talk about it on page 610 of the 4th edition.

The other is Loopback Merge mode. More complex to set up, but you can apply "Do not Automatically Make Redirected Folders Available Offline" to your computers with that advanced technique.

That'll do it.

[PreviousPoster]

I was previously using the "Do not Automatically Make Redirected Folders Available Offline" and my problem was that even though the redirected folders were not available offline the synchronization manager was still running. After further testing I was able to determine that the necessary GPO setting to prevent the synchronization manager from appearing on desktops is: "Allow or Disallow use of the Offline Files feature".

For those who might be curious, here is an explanation of the approach I have chosen:
Goals:
1. Redirect My Documents to a network location (DFS Namespace). DFS Namespace provides greater flexibility for the future since there is no hard coded server names or share names in the redirected path.
2. Be able to roll out the folder redirection for small groups of users at a time, instead of all the users immediately
3. Do not make the My Documents available offline for all devices except mobile devices (laptops/tablets). For mobile devices, the end users on the devices may work disconnected from the network from time to time, when they are disconnected we still want those users to have access to their “My Documents� when disconnected from the network.
4. Make the implementation as seamless as possible for the end user.
5. Have separate policies to turn on offline files for mobile devices, but not have separate policies that are required to disable offline files for desktops/laptops. In other words, top level policy disables offline folders for all devices (setting turn off offline files as the default), but have separate policies that can enable offline files for mobile devices. If we create an OU, we don’t want to have to link a policy to that OU to disable automatic caching of the redirected My Documents folder.
6. Do not have offline files automatically cache files for those who support end users but still allow them the ability to manually set My Documents to be set as offline. When support personnel log into other laptops, we don’t want the support personnel’s My Documents to be cached as offline on that device. However, for those support personnel who have mobile devices, we still want to allow them the ability to set their “My Documents� as offline files.

To implement My Documents folder redirection four GPOs will be used. The four GPOs and their settings are listed below, explanation of the approach taken and explanations of why particular GPO settings were used can be found below the listed settings.
Disable Offline Files
General
Links
Root of domain
Computer Configuration
Administrative Templates
Network/Offline Files
Allow or Disallow use of the Offline Files feature--------------Disabled

My Documents Redirection
General
Links
(OU with users who will receive My Documents redirection, eventually root of domain)
User Configuration
Folder Redirection
My Documents
Setting: Advanced (Specify locations for various user groups)
GROUP1----------------------------------------------------------Location1
Options
Grant user exclusive rights to My Documents---------------------Disabled
Move the contents of My Documents to the new location-----------Enabled
Policy Removal Behavior-----------------------------------------Restore Contents

Configure Offline Files (1 of 2)
General
Links
(All Laptop-Tablet OUs)
Delegation
(Support people group(s) will have Apply Group Policy=Deny)
Computer Configuration
Administrative Templates
Network/Offline Files
Allow or Disallow use of the Offline Files Feature--------------Enabled
System/Group Policy
User Group Policy loopback processing mode----------------------Enabled
Mode:----------------------------------------------------------Merge
User Configuration
Administrative Templates
Network/Offline Files
Event Logging Level---------------------------------------------Enabled (3)
Synchronize all offline files before logging off-----------------Enabled
Synchronize offline files before suspend-------------------------Enabled
Type of sync to perform when suspending-------------------------Full

Configure Offline Files (2 of 2)
General
Links
(All Laptop-Tablet OUs)
Delegation
(Authenticated Users removed)
Security Filtering
(Support people group(s), only those in these group(s) will receive this policy)
Computer Configuration
Administrative Templates
System/Group Policy
User Group Policy loopback processing mode----------------------Enabled
Mode:----------------------------------------------------------Merge
User Configuration
Administrative Templates
Network/Offline Files
Do not automatically make redirected folders available offline--Enabled

The first question after reviewing the group policies likely is why four GPOs to accomplish this. The answer is simply that after significant testing that number of GPOs was the least number that could be used to accomplish all my goals. Below you will find descriptions of each of the policies:
Disable Offline Files
The essential purpose of this GPO is to disable offline files. This GPO will be linked to the root of the domain.
Q. Why disable offline files?
A. Testing has shown that this is the only Group Policy setting that could be used to prevent the synchronization manager from appearing on desktops/servers (during a logoff) after folder redirection was implemented. Since we want to make folder redirection as seamless as possible, we didn’t want end users of desktops or Citrix/Terminal servers to be seeing the synchronization manager running at logoff, even though the synchronization manager isn’t syncing anything.
Q. Why link this policy at the root?
A. We want to make sure that all devices (desktops/servers/special project machines/test computers/etc.) receive this policy. This will eliminate the synchronization manager from automatically being displayed on any device in which it is not indented to run on.
Q. What about mobile devices, don’t we want them to have offline files available?
A. Another policy linked at each of the Laptops-Tablets OU will override this policy making Offline Files available for mobile devices.
Q. Why not use the “Do not automatically make redirected folders available offline� setting instead?
A. Although the “Do not automatically make redirected folders available offline� GPO setting will prevent the redirected “My Documents� folder from automatically being made available offline, it will not prevent the synchronization manager from running, even though there are no offline files to synchronize. The “Allow or Disallow use of the Offline Files feature� setting serves both purposes; it prevents offline files from automatically being made available offline, and it prevents the synchronization manager from running.

My Documents Redirection
The essential purpose of this GPO is to redirect the end user’s “My Documents� folder to an appropriate network location. This policy uses group membership to determine the appropriate network location the user’s “My Documents� folder should be redirected too.
Q. What happens if a user isn’t a member of any of the groups defined in the policy, but the user is receiving the policy?
A. The user’s “My Documents� folder will not be redirected.
Q. What happens if a user is a member of multiple groups, likely a result of being employed for multiple affiliates?
A. The top most group that the user is a member of listed in the “My Documents Redirection� GPO will be the winning location for the user’s My Documents folder to be redirected to.
Q. What happens if the user’s group membership changes?
A. When group membership changes from one group to another, the user’s data will be transferred from the old location to the location specified by the new group membership.
Q. What happens to the user’s data if they are removed from the group that is used to determine the appropriate location to re-direct the My Documents folder?
A. When a user is removed from the group that is used to re-direct “My Documents� that data will be transferred back to the default “My Documents� path on the user’s local computer. The user’s data will then only be available from that one computer. The user’s folder will still exist on the network, however it will be empty.

Configure Offline Files (1 of 2)
The essential purpose of this GPO is to make “My Documents� available offline for users of mobile devices; this is done so that the user’s “My Documents� is still available when the user isn’t connected to the network. This policy is linked to each of the Laptops-Tablets OUs. Through delegation, this policy is denied to Support Personnel; note however that only the user configuration side is denied, the computer configuration side still applies regardless of who logs in.
In the Computer Configuration side of the GPO, “Allow or Disallow use of the Offline Files Feature� is enabled which overrides the Disabled setting from the “Disable Offline Files� GPO.
Loopback processing is enabled, to allow the user configuration settings to apply to almost all users who log into the laptops.
Q. Why use loopback processing, the user configuration settings that are applied in this policy are also available in the computer configuration side. Why not just use the computer configuration settings?
A. We don’t want these settings to apply to all users, we want to deny the settings (deny setting the redirected My Documents folder to automatically be setup as an offline folder) for support personnel. If we were to use the computer configuration side settings, there would be no way to deny these settings for some users since it would be applied at the computer level for all users. By denying the “Apply Group Policy� permission VIA delegation, we can prevent support personnel from automatically setting My Documents as an offline folder.

Configure Offline Files (2 of 2)
The essential purpose of this GPO is to aid in the prevention of automatically setting the user’s “My Documents� folder as offline for support personnel. Since the default for Windows XP is to automatically make redirected folders available offline, we need this policy to disable the default action for Windows XP. Using Security Filtering, only support personnel will receive this policy. This policy is linked to each of the Laptops-Tablets OUs.
Loopback processing is enabled; this is done to allow the user configuration setting to apply to support personnel who log into the laptops.
Q. Can’t “Configure Offline Files (1 of 2)� and “Configure Offline Files (2 of 2)� be combined?
A. No, because the setting in “Configure Offline Files (2 of 2)� contradicts the settings in “Configure Offline Files (1 of 2)�. Normal end users will only receive the “Configure Offline Files (1 of 2)� GPO where as support personnel will only receive the “Configure Offline Files (2 of 2)�.
Q. Why can't the “Do not automatically make redirected folders available offline� setting be disabled in the “Disable Offline Files� GPO, then in the “Configure Offline Files (1 of 2)� the setting be enabled?
A. In theory you would expect this combination to work properly. You would expect that “automatically make redirected folders offline� would be disabled for all users/devices, but would then be enabled for all users of laptops except for support personnel. Testing has shown that with this GPO settings configuration, for some unknown reason, when laptop users reboot or shutdown the synchronization manager doesn’t run, interestingly enough though during a logoff the synchronization manager works as expected. By applying the GPO settings in the fashion documented, i.e. using “Configure Offline Files (2 of 2)� we can get everything to work as expected.
Q. For support personnel with mobile devices, how can their redirected My Documents folder be made available offline since the “Configure Offline Files (1 of 2)� and “Configure Offline Files (2 of 2)� prevent this from happening automatically.
A. Right click on “My Documents� and select “Make Available Offline�

That's some write up. I think I need to take some extra time to read that again and make sure I get the goals and what you accomplished, but it's a great addition. Thanks for the followup !

[PreviousPoster]

Hello All,

We redirect our user My Documents folder to a user network share via GPo: \\server_name\userid\documents

We set the documents folder to be available offline for just our mobile users.

However, Windows is making the root of the user share available offline: \\server_name\userid

When working completely offline (no network connections whatsoever), we are able to browse the entire user share, even though it is not made available offline.

Why is that?

Thanks.

[PreviousPoster]

Is there any drawback to enabling "Synchronize all offline files when logging on"?